Mike Mohr <akihana@gmail.com> wrote:

(intentionally not snipping much)

quoted text
> Per the post here:
> 
> http://lkml.org/lkml/2007/6/18/228
> 
> it appears that the group ownership patch has made it into .23.  I am
> using these patches, amongst which the kernel component appears to be
> identical:
> 
> http://sigxcpu.org/unsorted-patches/0001-allow-tun-ownership-by-group.patch
> http://sigxcpu.org/unsorted-patches/tunctl_gid.diff
> 
> I can create devices that are owned by my user account (tunctl -u
> `whoami` -t tap0) and it works fine.  However, if I use group
> permissions with -g it stops working.  In all cases, if I pass -g
> <group>, the interface is created correctly but it is unusable as a
> non-root user.
> 
> So my question is: am I doing something wrong?  If I am, I don't see
> it.  Assuming then that I am not doing anything wrong on my end, I
> assume then that there is something missing from the kernel patch I
> applied.  I read over it and I can't see any issues, especially
> considering that tunctl comes back without error (even with -g) and
> creates an interface.
> 
> Just wondering if this was an issue that should be looked into--


IMHO the check is broken:

+               if (((tun->owner != -1 &&
+                     current->euid != tun->owner) ||
+                    (tun->group != -1 &&
+                     current->egid != tun->group)) &&
+                    !capable(CAP_NET_ADMIN))
                        return -EPERM;

It should be something like:

+               if (!((tun->owner == tun->owner) ||
+                     (tun->group == tun->group) ||
+                     capable(CAP_NET_ADMIN)))
                        return -EPERM;

Please verify and forward to the maintainers if my guess appears to be correct.
-- 
Never stand when you can sit, never sit when you can lie down, never stay
awake when you can sleep.

Friß, Spammer: xxh@n.btxp.7eggert.dyndns.org
-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/